CVE-2024-56340

Medium

Published: 28 February 2025

Published

28 February 2025

Modified

17 October 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.1222 93.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the deficon parameter.

Security Summary

IBM Cognos Analytics versions 11.2.0 through 11.2.4 FP5 are affected by CVE-2024-56340, a local file inclusion vulnerability classified under CWE-23 (path traversal). The flaw allows attackers to access sensitive files by inserting path traversal payloads into the deficon parameter. Published on 2025-02-28, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact.

Exploitation requires low privileges (PR:L) and can be performed remotely over the network (AV:N) with low complexity and no user interaction. A successful attack enables unauthorized reading of sensitive files, compromising confidentiality without impacting integrity or availability.

Mitigation details are available in the IBM security advisory at https://www.ibm.com/support/pages/node/7183676 and the vulnerability research repository at https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-56340.

Details

CWE(s): CWE-23

Affected Products

ibm

cognos analytics

11.2.4, 12.0.4 · 11.2.0 — 11.2.4 · 12.0.0 — 12.0.4

References

https://www.ibm.com/support/pages/node/7183676
Patch, Vendor Advisory · psirt@us.ibm.com
https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-56340
af854a3a-2127-422b-91ae-364da2661108